Syncing Chef Server with external Git Repo


#1

Hello All,

I am doing some research on how to integrate Chef Server with a Git repo in a way that we only commit to our Git repo (which is hosted on AWS Code Commit) and Chef Server gets the code and data from that Git repo either periodically or on every commit. The reason we want to do this is so that nobody can directly upload anything to Chef Server and all changes are tracked.

Apologies if the question sounds a bit vague as I fairly new to this sort of integration, please let me know and I can provide more information.

Any help or information would be highly appreciated.

Thanks,
Rahul


#2

Set up a Ci system to do this. I’m not familiar with the features of the AWS product, but the basic options are to have your repo run some kind of hook to make the Ci system start, or have the Ci system poll your git repo periodically.

Then you just need to configure the Ci system to run the same commands that you would run if you were doing this manually (e.g., knife upload and so on).

You might also want to run some tests on your cookbooks and such as part of a pipeline to do some basic verification of the code before it goes to the Chef Server, but the details of that depend on how much work you are willing to put into configuring the pipeline and what your requirements are.


#3

Here is an example where the chef key file is stored on a ci server, and each cookbook has a .berkshelf directory that contains a json file with the config of which chef servers to upload to.

Assuming you are using something like jenkins, team city, gitlab -ci that integrates with your version git server. Te following script would be configured to only run on merge to master, or every time a git tag is created.

- rm -f Berksfile.lock
- echo "$LAB_CHEF_KEY" > "/foobar/private-key.pem"
- berks install --config=.berkshelf/foo.json
- berks upload --config=.berkshelf/foo.json
- rm /foobar/private-key.pem

Inside the cookbook in .berkshelf/foo.json

{
  "chef": {
    "chef_server_url": "https://chef.example.com/organizations/foobar",
    "client_key": "/foobar/private-key.pem",
    "node_name": "foobar"
  },
  "ssl": {
    "verify": true
  }
}

You can also look into facebooks grocery delivery


GIT to manage cookbooks
#4

I would suggest to keep at least two chef-server environments. One for production and the other for dev/test.
As soon as the cookbooks changes passes your tests an automated process can upload those changes to your production chef-server.